I'm putting together a spec for a REST service, part of which will incorporate the ability to throttle users service-wide and on groups of, or on individual, resources. Equally, time-outs for these would be configurable per resource/group/service.

I'm just looking through the HTTP 1.1 spec and trying to decide how I will communicate to a client that a request will not be fulfilled because they've reached their limit.

Initially I figured that client code 403 - Forbidden was the one, but this, from the spec:

Authorization will not help and the request SHOULD NOT be repeated

bothered me.

It actually appears that 503 - Service Unavailable is a better one to use - since it allows for the communication of a retry time through the use of the Retry-After header.

It's possible that in the future I might look to support 'purchasing' more requests via eCommerce (in which case it would be nice if client code 402 - Payment Required had been finalized!) - but I figure that this could equally be squeezed into a 503 response too.

Which do you think I should use? Or is there another I've not considered?

2 Answers
2

429 Too Many Requests

The user has sent too many requests in a given amount of time. Intended for use with rate limiting schemes. This code has been accepted in RFC 6585Additional HTTP Status Codes.

The 429 status code indicates that the user has sent too many
requests in a given amount of time ("rate limiting").
The response representations SHOULD include details explaining the
condition, and MAY include a Retry-After header indicating how long
to wait before making a new request...
Note that this specification does not define how the origin server
identifies the user, nor how it counts requests. For example, an
origin server that is limiting request rates can do so based upon
counts of requests on a per-resource basis, across the entire server,
or even among a set of servers. Likewise, it might identify the user
by its authentication credentials, or a stateful cookie.
Responses with the 429 status code MUST NOT be stored by a cache...

503! 503! 503! Reached the limit, the next call is forbiden. Plain and simple...
–
Yannis♦Jan 5 '12 at 12:10

@YannisRizos: Ah, but it's not forbidden once the payment has been made!
–
MarcinJan 5 '12 at 12:13

1

The error code represents the result of the single request. If the payment was made, then on a subsequent request it's business as usual... If you document the behaviour, it's fine by me. Or you could just return 200, with an error message. But that's not pretty. Although some might say using HTTP error codes for business logic is not pretty. Ah well, I'd personally go with 503, service is not available at this moment - until of course 402 is commonly supported.
–
Yannis♦Jan 5 '12 at 12:21

@YannisRizos (& Marcin) - thanks for your comments - I figured 503 was the best one to go with; whilst also understanding that implementations of a RESTful nature can often fall foul of being woolly when it comes to their use of HTTP status codes. My personal viewpoint on this is to use what the protocol provides unless it doesn't fit (which is actually very rare). In this case, it definitely does!
–
Andras ZoltanJan 5 '12 at 12:38